// ----------------------------------------------------------------------------- // GroundTruthCommandGroup.cs // Sprint: SPRINT_20260121_035_BinaryIndex_golden_corpus_connectors_cli // Sprint: SPRINT_20260121_036_BinaryIndex_golden_corpus_bundle_verification // Task: GCC-005 - CLI commands for ground-truth corpus management // Task: GCB-001 - CLI command for corpus bundle export // Task: GCB-002 - CLI command for corpus bundle import and verification // ----------------------------------------------------------------------------- using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using StellaOps.BinaryIndex.GroundTruth.Reproducible; using StellaOps.BinaryIndex.GroundTruth.Reproducible.Models; using StellaOps.BinaryIndex.GroundTruth.Reproducible.Services; using StellaOps.Cli.Extensions; using StellaOps.Cli.Output; using System.Collections.Immutable; using System.CommandLine; using System.Text.Json; namespace StellaOps.Cli.Commands; ///

/// CLI commands for ground-truth corpus management and validation. ///

public static class GroundTruthCommandGroup { private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web) { WriteIndented = true }; ///

/// Builds the groundtruth command group with all subcommands. ///

public static Command BuildGroundTruthCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var groundtruth = new Command("groundtruth", "Ground-truth corpus management and validation."); groundtruth.Aliases.Add("gt"); groundtruth.Add(BuildSourcesCommand(services, verboseOption, cancellationToken)); groundtruth.Add(BuildSymbolsCommand(services, verboseOption, cancellationToken)); groundtruth.Add(BuildPairsCommand(services, verboseOption, cancellationToken)); groundtruth.Add(BuildValidateCommand(services, verboseOption, cancellationToken)); groundtruth.Add(BuildBundleCommand(services, verboseOption, cancellationToken)); groundtruth.Add(BuildBaselineCommand(services, verboseOption, cancellationToken)); return groundtruth; } #region Bundle Subcommand private static Command BuildBundleCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var bundle = new Command("bundle", "Bundle operations for offline verification."); bundle.Add(BuildBundleExportCommand(services, verboseOption, cancellationToken)); bundle.Add(BuildBundleImportCommand(services, verboseOption, cancellationToken)); return bundle; } private static Command BuildBundleExportCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var packagesOption = new Option("--packages", ["-p"]) { Description = "Packages to include (comma-separated or multiple)", AllowMultipleArgumentsPerToken = true }.Required(); var distrosOption = new Option("--distros", ["-d"]) { Description = "Distributions to include (comma-separated or multiple)", AllowMultipleArgumentsPerToken = true }.Required(); var advisoriesOption = new Option("--advisories", ["-a"]) { Description = "Specific advisory IDs to filter (optional)", AllowMultipleArgumentsPerToken = true }; var outputOption = new Option("--output", ["-o"]) { Description = "Output path for the bundle tarball" }.Required(); var signOption = new Option("--sign-with-cosign") { Description = "Sign the bundle manifest with Cosign/Sigstore" }; var signingKeyOption = new Option("--signing-key") { Description = "Signing key ID for DSSE envelope signing" }; var includeDebugOption = new Option("--include-debug") { Description = "Include debug symbols in the bundle" }.SetDefaultValue(true); var includeKpisOption = new Option("--include-kpis") { Description = "Include validation KPIs in the bundle" }.SetDefaultValue(true); var includeTimestampsOption = new Option("--include-timestamps") { Description = "Include RFC 3161 timestamps" }.SetDefaultValue(true); var dryRunOption = new Option("--dry-run") { Description = "Validate export parameters without creating the bundle" }; var command = new Command("export", "Export a corpus bundle for offline verification.") { packagesOption, distrosOption, advisoriesOption, outputOption, signOption, signingKeyOption, includeDebugOption, includeKpisOption, includeTimestampsOption, dryRunOption, verboseOption }; command.SetAction(async (parseResult, ct) => { var packages = parseResult.GetValue(packagesOption) ?? []; var distros = parseResult.GetValue(distrosOption) ?? []; var advisories = parseResult.GetValue(advisoriesOption); var output = parseResult.GetValue(outputOption) ?? "corpus-bundle.tar.gz"; var sign = parseResult.GetValue(signOption); var signingKey = parseResult.GetValue(signingKeyOption); var includeDebug = parseResult.GetValue(includeDebugOption); var includeKpis = parseResult.GetValue(includeKpisOption); var includeTimestamps = parseResult.GetValue(includeTimestampsOption); var dryRun = parseResult.GetValue(dryRunOption); var verbose = parseResult.GetValue(verboseOption); return await HandleBundleExportAsync( services, packages, distros, advisories, output, sign, signingKey, includeDebug, includeKpis, includeTimestamps, dryRun, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static async Task HandleBundleExportAsync( IServiceProvider services, string[] packages, string[] distros, string[]? advisories, string output, bool sign, string? signingKey, bool includeDebug, bool includeKpis, bool includeTimestamps, bool dryRun, bool verbose, CancellationToken ct) { var loggerFactory = services.GetService(); var logger = loggerFactory?.CreateLogger(typeof(GroundTruthCommandGroup)); try { // Flatten comma-separated values var packageList = packages .SelectMany(p => p.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)) .ToImmutableArray(); var distroList = distros .SelectMany(d => d.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)) .ToImmutableArray(); var advisoryList = (advisories ?? []) .SelectMany(a => a.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)) .ToImmutableArray(); Console.WriteLine("Ground-Truth Corpus Bundle Export"); Console.WriteLine("=================================="); Console.WriteLine(); Console.WriteLine($"Packages: {string.Join(", ", packageList)}"); Console.WriteLine($"Distributions: {string.Join(", ", distroList)}"); if (!advisoryList.IsEmpty) { Console.WriteLine($"Advisories: {string.Join(", ", advisoryList)}"); } Console.WriteLine($"Output: {output}"); Console.WriteLine($"Sign bundle: {(sign ? "yes" : "no")}"); Console.WriteLine($"Debug symbols: {(includeDebug ? "yes" : "no")}"); Console.WriteLine($"Include KPIs: {(includeKpis ? "yes" : "no")}"); Console.WriteLine($"Timestamps: {(includeTimestamps ? "yes" : "no")}"); Console.WriteLine(); // Get bundle export service var exportService = services.GetService(); if (exportService is null) { Console.Error.WriteLine("Error: Bundle export service is not configured."); Console.Error.WriteLine("Ensure AddCorpusBundleExport() is called in service registration."); return 1; } // Create request var request = new BundleExportRequest { Packages = packageList, Distributions = distroList, AdvisoryIds = advisoryList, OutputPath = output, SignWithCosign = sign, SigningKeyId = signingKey, IncludeDebugSymbols = includeDebug, IncludeKpis = includeKpis, IncludeTimestamps = includeTimestamps }; // Validate first Console.Write("Validating export request... "); var validation = await exportService.ValidateExportAsync(request, ct); if (!validation.IsValid) { Console.WriteLine("FAILED"); Console.WriteLine(); Console.Error.WriteLine("Validation errors:"); foreach (var error in validation.Errors) { Console.Error.WriteLine($" - {error}"); } return 1; } Console.WriteLine("OK"); Console.WriteLine($" Pairs found: {validation.PairCount}"); Console.WriteLine($" Estimated size: {FormatBundleSize(validation.EstimatedSizeBytes)}"); if (validation.Warnings.Count > 0) { Console.WriteLine(); Console.WriteLine("Warnings:"); foreach (var warning in validation.Warnings) { Console.WriteLine($" - {warning}"); } } Console.WriteLine(); if (dryRun) { Console.WriteLine("Dry run complete. No bundle created."); return 0; } // Create progress reporter var progress = new Progress(p => { var status = p.PercentComplete.HasValue ? $"[{p.PercentComplete}%]" : ""; var item = !string.IsNullOrEmpty(p.CurrentItem) ? $": {p.CurrentItem}" : ""; Console.Write($"\r{p.Stage,-20} {status,-8} {item,-40}"); }); // Execute export var result = await exportService.ExportAsync(request, progress, ct); Console.WriteLine(); // New line after progress Console.WriteLine(); if (!result.Success) { Console.Error.WriteLine($"Export failed: {result.Error}"); return 1; } // Display results Console.WriteLine("Export Summary"); Console.WriteLine("--------------"); Console.WriteLine($"Bundle path: {result.BundlePath}"); Console.WriteLine($"Manifest digest: {result.ManifestDigest}"); Console.WriteLine($"Bundle size: {FormatBundleSize(result.SizeBytes ?? 0)}"); Console.WriteLine($"Pairs included: {result.PairCount}"); Console.WriteLine($"Artifacts: {result.ArtifactCount}"); Console.WriteLine($"Duration: {result.Duration.TotalSeconds:F1}s"); if (result.Warnings.Length > 0) { Console.WriteLine(); Console.WriteLine("Warnings:"); foreach (var warning in result.Warnings) { Console.WriteLine($" - {warning}"); } } if (verbose && result.IncludedPairs.Length > 0) { Console.WriteLine(); Console.WriteLine("Included Pairs:"); foreach (var pair in result.IncludedPairs) { Console.WriteLine($" {pair.Package}/{pair.AdvisoryId} ({pair.Distribution})"); Console.WriteLine($" {pair.VulnerableVersion} -> {pair.PatchedVersion}"); } } Console.WriteLine(); Console.WriteLine("Bundle created successfully."); Console.WriteLine(); Console.WriteLine("To verify the bundle offline:"); Console.WriteLine($" stella groundtruth bundle import --input {result.BundlePath} --verify"); return 0; } catch (OperationCanceledException) { Console.WriteLine(); Console.WriteLine("Export cancelled."); return 130; } catch (Exception ex) { logger?.LogError(ex, "Bundle export failed"); Console.Error.WriteLine($"Error: {ex.Message}"); return 1; } } private static string FormatBundleSize(long bytes) { string[] sizes = ["B", "KB", "MB", "GB", "TB"]; var order = 0; var size = (double)bytes; while (size >= 1024 && order < sizes.Length - 1) { order++; size /= 1024; } return $"{size:0.##} {sizes[order]}"; } private static Command BuildBundleImportCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var inputOption = new Option("--input", ["-i"]) { Description = "Path to the bundle tarball to import" }.Required(); var verifyOption = new Option("--verify") { Description = "Verify the bundle (signatures, timestamps, digests)" }.SetDefaultValue(true); var verifySignaturesOption = new Option("--verify-signatures") { Description = "Verify bundle manifest signatures" }.SetDefaultValue(true); var verifyTimestampsOption = new Option("--verify-timestamps") { Description = "Verify RFC 3161 timestamps" }.SetDefaultValue(true); var verifyDigestsOption = new Option("--verify-digests") { Description = "Verify blob digests match manifest" }.SetDefaultValue(true); var runMatcherOption = new Option("--run-matcher") { Description = "Run IR matcher to confirm patch status" }.SetDefaultValue(true); var trustedKeysOption = new Option("--trusted-keys") { Description = "Path to trusted public keys file" }; var trustProfileOption = new Option("--trust-profile") { Description = "Path to trust profile for verification rules" }; var outputOption = new Option("--output", ["-o"]) { Description = "Path to write verification report" }; var formatOption = new Option("--format", ["-f"]) { Description = "Report format (markdown, json, html)" }.SetDefaultValue("markdown"); var extractOption = new Option("--extract") { Description = "Extract bundle contents to a directory" }; var extractPathOption = new Option("--extract-path") { Description = "Directory to extract contents to" }; var command = new Command("import", "Import and verify a corpus bundle.") { inputOption, verifyOption, verifySignaturesOption, verifyTimestampsOption, verifyDigestsOption, runMatcherOption, trustedKeysOption, trustProfileOption, outputOption, formatOption, extractOption, extractPathOption, verboseOption }; command.SetAction(async (parseResult, ct) => { var input = parseResult.GetValue(inputOption) ?? ""; var verify = parseResult.GetValue(verifyOption); var verifySignatures = parseResult.GetValue(verifySignaturesOption); var verifyTimestamps = parseResult.GetValue(verifyTimestampsOption); var verifyDigests = parseResult.GetValue(verifyDigestsOption); var runMatcher = parseResult.GetValue(runMatcherOption); var trustedKeys = parseResult.GetValue(trustedKeysOption); var trustProfile = parseResult.GetValue(trustProfileOption); var output = parseResult.GetValue(outputOption); var format = parseResult.GetValue(formatOption) ?? "markdown"; var extract = parseResult.GetValue(extractOption); var extractPath = parseResult.GetValue(extractPathOption); var verbose = parseResult.GetValue(verboseOption); return await HandleBundleImportAsync( services, input, verify, verifySignatures, verifyTimestamps, verifyDigests, runMatcher, trustedKeys, trustProfile, output, format, extract, extractPath, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static async Task HandleBundleImportAsync( IServiceProvider services, string input, bool verify, bool verifySignatures, bool verifyTimestamps, bool verifyDigests, bool runMatcher, string? trustedKeys, string? trustProfile, string? output, string format, bool extract, string? extractPath, bool verbose, CancellationToken ct) { var loggerFactory = services.GetService(); var logger = loggerFactory?.CreateLogger(typeof(GroundTruthCommandGroup)); try { Console.WriteLine("Ground-Truth Corpus Bundle Import"); Console.WriteLine("=================================="); Console.WriteLine(); Console.WriteLine($"Input: {input}"); Console.WriteLine($"Verify signatures: {(verify && verifySignatures ? "yes" : "no")}"); Console.WriteLine($"Verify timestamps: {(verify && verifyTimestamps ? "yes" : "no")}"); Console.WriteLine($"Verify digests: {(verify && verifyDigests ? "yes" : "no")}"); Console.WriteLine($"Run matcher: {(verify && runMatcher ? "yes" : "no")}"); if (!string.IsNullOrEmpty(trustedKeys)) Console.WriteLine($"Trusted keys: {trustedKeys}"); if (!string.IsNullOrEmpty(trustProfile)) Console.WriteLine($"Trust profile: {trustProfile}"); if (!string.IsNullOrEmpty(output)) Console.WriteLine($"Report output: {output} ({format})"); if (extract) Console.WriteLine($"Extract to: {extractPath ?? "(auto)"}"); Console.WriteLine(); // Get bundle import service var importService = services.GetService(); if (importService is null) { Console.Error.WriteLine("Error: Bundle import service is not configured."); Console.Error.WriteLine("Ensure AddCorpusBundleImport() is called in service registration."); return 1; } // Validate input file exists if (!File.Exists(input)) { Console.Error.WriteLine($"Error: Bundle file not found: {input}"); return 1; } // Parse report format var reportFormat = format.ToLowerInvariant() switch { "json" => BundleReportFormat.Json, "html" => BundleReportFormat.Html, _ => BundleReportFormat.Markdown }; // Create request var request = new BundleImportRequest { InputPath = input, VerifySignatures = verify && verifySignatures, VerifyTimestamps = verify && verifyTimestamps, VerifyDigests = verify && verifyDigests, RunMatcher = verify && runMatcher, TrustedKeysPath = trustedKeys, TrustProfilePath = trustProfile, OutputPath = output, ReportFormat = reportFormat, ExtractContents = extract, ExtractPath = extractPath }; // Create progress reporter var progress = new Progress(p => { var status = p.PercentComplete.HasValue ? $"[{p.PercentComplete}%]" : ""; var item = !string.IsNullOrEmpty(p.CurrentItem) ? $": {p.CurrentItem}" : ""; Console.Write($"\r{p.Stage,-25} {status,-8} {item,-40}"); }); // Execute import var result = await importService.ImportAsync(request, progress, ct); Console.WriteLine(); // New line after progress Console.WriteLine(); // Display results Console.WriteLine("Import Summary"); Console.WriteLine("--------------"); Console.WriteLine($"Overall Status: {GetStatusDisplay(result.OverallStatus)}"); Console.WriteLine($"Duration: {result.Duration.TotalSeconds:F1}s"); if (result.Metadata is not null) { Console.WriteLine(); Console.WriteLine("Bundle Metadata:"); Console.WriteLine($" Bundle ID: {result.Metadata.BundleId}"); Console.WriteLine($" Schema: {result.Metadata.SchemaVersion}"); Console.WriteLine($" Created: {result.Metadata.CreatedAt:u}"); Console.WriteLine($" Generator: {result.Metadata.Generator ?? "unknown"}"); Console.WriteLine($" Pairs: {result.Metadata.PairCount}"); Console.WriteLine($" Size: {FormatBundleSize(result.Metadata.TotalSizeBytes)}"); } if (result.SignatureResult is not null) { Console.WriteLine(); Console.WriteLine($"Signature Verification: {(result.SignatureResult.Passed ? "PASSED" : "FAILED")}"); if (!result.SignatureResult.Passed && !string.IsNullOrEmpty(result.SignatureResult.Error)) { Console.WriteLine($" Error: {result.SignatureResult.Error}"); } } if (result.TimestampResult is not null) { Console.WriteLine($"Timestamp Verification: {(result.TimestampResult.Passed ? "PASSED" : "FAILED")}"); Console.WriteLine($" Timestamps: {result.TimestampResult.TimestampCount}"); } if (result.DigestResult is not null) { Console.WriteLine($"Digest Verification: {(result.DigestResult.Passed ? "PASSED" : "FAILED")}"); Console.WriteLine($" Blobs: {result.DigestResult.MatchedBlobs}/{result.DigestResult.TotalBlobs} matched"); if (result.DigestResult.Mismatches.Length > 0) { Console.WriteLine($" Mismatches: {result.DigestResult.Mismatches.Length}"); } } if (result.PairResults.Length > 0) { Console.WriteLine(); Console.WriteLine("Pair Verification:"); var passed = result.PairResults.Count(p => p.Passed); var failed = result.PairResults.Length - passed; Console.WriteLine($" Passed: {passed}, Failed: {failed}"); if (verbose) { Console.WriteLine(); Console.WriteLine($" {"Package",-20} {"Advisory",-18} {"SBOM",-8} {"Delta-Sig",-10} {"Matcher",-8}"); Console.WriteLine($" {new string('-', 68)}"); foreach (var pair in result.PairResults) { Console.WriteLine($" {pair.Package,-20} {pair.AdvisoryId,-18} {GetShortStatus(pair.SbomStatus),-8} {GetShortStatus(pair.DeltaSigStatus),-10} {GetShortStatus(pair.MatcherStatus),-8}"); } } } if (result.Warnings.Length > 0) { Console.WriteLine(); Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("Warnings:"); foreach (var warning in result.Warnings) { Console.WriteLine($" - {warning}"); } Console.ResetColor(); } if (!string.IsNullOrEmpty(result.Error)) { Console.WriteLine(); Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine($"Error: {result.Error}"); Console.ResetColor(); } if (!string.IsNullOrEmpty(result.ReportPath)) { Console.WriteLine(); Console.WriteLine($"Report written to: {result.ReportPath}"); } if (!string.IsNullOrEmpty(result.ExtractedPath)) { Console.WriteLine($"Contents extracted to: {result.ExtractedPath}"); } Console.WriteLine(); if (result.Success) { Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Bundle verification completed successfully."); Console.ResetColor(); return 0; } else { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("Bundle verification failed."); Console.ResetColor(); return 1; } } catch (OperationCanceledException) { Console.WriteLine(); Console.WriteLine("Import cancelled."); return 130; } catch (Exception ex) { logger?.LogError(ex, "Bundle import failed"); Console.Error.WriteLine($"Error: {ex.Message}"); return 1; } } private static string GetStatusDisplay(VerificationStatus status) { return status switch { VerificationStatus.Passed => "\u2705 PASSED", VerificationStatus.Failed => "\u274C FAILED", VerificationStatus.Warning => "\u26A0\uFE0F WARNING", VerificationStatus.Skipped => "\u23ED SKIPPED", _ => "\u2754 UNKNOWN" }; } private static string GetShortStatus(VerificationStatus status) { return status switch { VerificationStatus.Passed => "OK", VerificationStatus.Failed => "FAIL", VerificationStatus.Warning => "WARN", VerificationStatus.Skipped => "SKIP", _ => "?" }; } #endregion #region Baseline Subcommand private static Command BuildBaselineCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var baseline = new Command("baseline", "Manage KPI baselines for regression detection."); baseline.Add(BuildBaselineUpdateCommand(services, verboseOption, cancellationToken)); baseline.Add(BuildBaselineShowCommand(services, verboseOption, cancellationToken)); return baseline; } private static Command BuildBaselineUpdateCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var fromResultsOption = new Option("--from-results") { Description = "Path to validation results file to use as new baseline" }; var fromLatestOption = new Option("--from-latest") { Description = "Use the latest validation run results" }; var outputOption = new Option("--output", ["-o"]) { Description = "Output path for the new baseline file" }.Required(); var descriptionOption = new Option("--description") { Description = "Description for the new baseline" }; var sourceOption = new Option("--source") { Description = "Source identifier (e.g., commit hash, CI run ID)" }; var command = new Command("update", "Update the KPI baseline from validation results.") { fromResultsOption, fromLatestOption, outputOption, descriptionOption, sourceOption, verboseOption }; command.SetAction(async (parseResult, ct) => { var fromResults = parseResult.GetValue(fromResultsOption); var fromLatest = parseResult.GetValue(fromLatestOption); var output = parseResult.GetValue(outputOption) ?? "baseline.json"; var description = parseResult.GetValue(descriptionOption); var source = parseResult.GetValue(sourceOption); var verbose = parseResult.GetValue(verboseOption); return await HandleBaselineUpdateAsync( services, fromResults, fromLatest, output, description, source, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static async Task HandleBaselineUpdateAsync( IServiceProvider services, string? fromResults, bool fromLatest, string output, string? description, string? source, bool verbose, CancellationToken ct) { var loggerFactory = services.GetService(); var logger = loggerFactory?.CreateLogger(typeof(GroundTruthCommandGroup)); try { Console.WriteLine("KPI Baseline Update"); Console.WriteLine("==================="); Console.WriteLine(); if (string.IsNullOrEmpty(fromResults) && !fromLatest) { Console.Error.WriteLine("Error: Must specify either --from-results or --from-latest"); return 1; } // Get regression service var regressionService = services.GetService(); if (regressionService is null) { Console.Error.WriteLine("Error: KPI regression service is not configured."); Console.Error.WriteLine("Ensure AddKpiRegressionGates() is called in service registration."); return 2; } Console.WriteLine($"Source: {(fromLatest ? "latest run" : fromResults)}"); Console.WriteLine($"Output: {output}"); if (!string.IsNullOrEmpty(description)) Console.WriteLine($"Description: {description}"); if (!string.IsNullOrEmpty(source)) Console.WriteLine($"Source ID: {source}"); Console.WriteLine(); // Create update request var request = new BaselineUpdateRequest { FromResultsPath = fromResults, FromLatest = fromLatest, OutputPath = output, Description = description, Source = source }; // Execute update Console.Write("Updating baseline... "); var result = await regressionService.UpdateBaselineAsync(request, ct); if (!result.Success) { Console.WriteLine("FAILED"); Console.Error.WriteLine($"Error: {result.Error}"); return 1; } Console.WriteLine("OK"); Console.WriteLine(); if (result.Baseline is not null) { Console.WriteLine("New Baseline:"); Console.WriteLine($" ID: {result.Baseline.BaselineId}"); Console.WriteLine($" Created: {result.Baseline.CreatedAt:u}"); Console.WriteLine($" Precision: {result.Baseline.Precision:P2}"); Console.WriteLine($" Recall: {result.Baseline.Recall:P2}"); Console.WriteLine($" FN Rate: {result.Baseline.FalseNegativeRate:P2}"); Console.WriteLine($" Determinism:{result.Baseline.DeterministicReplayRate:P2}"); Console.WriteLine($" TTFRP p95: {result.Baseline.TtfrpP95Ms:F0}ms"); } Console.WriteLine(); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine($"Baseline written to: {result.BaselinePath}"); Console.ResetColor(); return 0; } catch (OperationCanceledException) { Console.WriteLine(); Console.WriteLine("Update cancelled."); return 130; } catch (Exception ex) { logger?.LogError(ex, "Baseline update failed"); Console.Error.WriteLine($"Error: {ex.Message}"); return 1; } } private static Command BuildBaselineShowCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var pathOption = new Option("--path", ["-p"]) { Description = "Path to the baseline file" }.Required(); var outputOption = BuildOutputOption(); var command = new Command("show", "Show details of a KPI baseline.") { pathOption, outputOption, verboseOption }; command.SetAction(async (parseResult, ct) => { var path = parseResult.GetValue(pathOption) ?? ""; var output = ParseOutputFormat(parseResult.GetValue(outputOption)); var verbose = parseResult.GetValue(verboseOption); return await HandleBaselineShowAsync( services, path, output, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static async Task HandleBaselineShowAsync( IServiceProvider services, string path, GroundTruthOutputFormat format, bool verbose, CancellationToken ct) { try { // Get regression service var regressionService = services.GetService(); if (regressionService is null) { Console.Error.WriteLine("Error: KPI regression service is not configured."); return 2; } var baseline = await regressionService.LoadBaselineAsync(path, ct); if (baseline is null) { Console.Error.WriteLine($"Error: Could not load baseline from: {path}"); return 1; } if (format == GroundTruthOutputFormat.Json) { Console.WriteLine(JsonSerializer.Serialize(baseline, JsonOptions)); } else { Console.WriteLine("KPI Baseline"); Console.WriteLine("============"); Console.WriteLine(); Console.WriteLine($"Baseline ID: {baseline.BaselineId}"); Console.WriteLine($"Created: {baseline.CreatedAt:u}"); if (!string.IsNullOrEmpty(baseline.Source)) Console.WriteLine($"Source: {baseline.Source}"); if (!string.IsNullOrEmpty(baseline.Description)) Console.WriteLine($"Description: {baseline.Description}"); Console.WriteLine(); Console.WriteLine("KPI Values:"); Console.WriteLine($" Precision: {baseline.Precision:P2}"); Console.WriteLine($" Recall: {baseline.Recall:P2}"); Console.WriteLine($" False Negative Rate: {baseline.FalseNegativeRate:P2}"); Console.WriteLine($" Deterministic Replay:{baseline.DeterministicReplayRate:P2}"); Console.WriteLine($" TTFRP p95: {baseline.TtfrpP95Ms:F0}ms"); if (baseline.AdditionalKpis.Count > 0) { Console.WriteLine(); Console.WriteLine("Additional KPIs:"); foreach (var kpi in baseline.AdditionalKpis) { Console.WriteLine($" {kpi.Key}: {kpi.Value}"); } } } return 0; } catch (Exception ex) { Console.Error.WriteLine($"Error: {ex.Message}"); return 1; } } #endregion #region Sources Subcommand private static Command BuildSourcesCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var sources = new Command("sources", "Manage symbol source connectors."); sources.Add(BuildSourcesListCommand(services, verboseOption, cancellationToken)); sources.Add(BuildSourcesEnableCommand(services, verboseOption, cancellationToken)); sources.Add(BuildSourcesDisableCommand(services, verboseOption, cancellationToken)); sources.Add(BuildSourcesSyncCommand(services, verboseOption, cancellationToken)); return sources; } private static Command BuildSourcesListCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var outputOption = BuildOutputOption(); var command = new Command("list", "List available symbol source connectors."); command.Add(outputOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var output = ParseOutputFormat(parseResult.GetValue(outputOption)); var verbose = parseResult.GetValue(verboseOption); return await HandleSourcesListAsync(services, output, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildSourcesEnableCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var sourceArg = new Argument("source") { Description = "Source connector ID (e.g., debuginfod-fedora)" }; var command = new Command("enable", "Enable a symbol source connector."); command.Add(sourceArg); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var source = parseResult.GetValue(sourceArg); var verbose = parseResult.GetValue(verboseOption); return await HandleSourcesEnableAsync(services, source!, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildSourcesDisableCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var sourceArg = new Argument("source") { Description = "Source connector ID to disable" }; var command = new Command("disable", "Disable a symbol source connector."); command.Add(sourceArg); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var source = parseResult.GetValue(sourceArg); var verbose = parseResult.GetValue(verboseOption); return await HandleSourcesDisableAsync(services, source!, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildSourcesSyncCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var sourceOption = new Option("--source", new[] { "-s" }) { Description = "Source connector ID to sync (all if not specified)" }; var fullOption = new Option("--full") { Description = "Perform a full sync instead of incremental" }; var command = new Command("sync", "Sync symbol sources from upstream."); command.Add(sourceOption); command.Add(fullOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var source = parseResult.GetValue(sourceOption); var full = parseResult.GetValue(fullOption); var verbose = parseResult.GetValue(verboseOption); return await HandleSourcesSyncAsync(services, source, full, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } #endregion #region Symbols Subcommand private static Command BuildSymbolsCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var symbols = new Command("symbols", "Query and search symbols in the corpus."); symbols.Add(BuildSymbolsLookupCommand(services, verboseOption, cancellationToken)); symbols.Add(BuildSymbolsSearchCommand(services, verboseOption, cancellationToken)); return symbols; } private static Command BuildSymbolsLookupCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var debugIdOption = new Option("--debug-id", new[] { "-d" }) { Description = "Debug ID (build-id) to lookup" }.Required(); var outputOption = BuildOutputOption(); var command = new Command("lookup", "Lookup symbols by debug ID."); command.Add(debugIdOption); command.Add(outputOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var debugId = parseResult.GetValue(debugIdOption); var output = ParseOutputFormat(parseResult.GetValue(outputOption)); var verbose = parseResult.GetValue(verboseOption); return await HandleSymbolsLookupAsync(services, debugId!, output, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildSymbolsSearchCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var packageOption = new Option("--package", new[] { "-p" }) { Description = "Package name to search for" }; var distroOption = new Option("--distro") { Description = "Distribution to filter by (e.g., debian, ubuntu, alpine)" }; var limitOption = new Option("--limit", new[] { "-l" }) { Description = "Maximum results to return" }.SetDefaultValue(20); var outputOption = BuildOutputOption(); var command = new Command("search", "Search symbols by package or distribution."); command.Add(packageOption); command.Add(distroOption); command.Add(limitOption); command.Add(outputOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var package = parseResult.GetValue(packageOption); var distro = parseResult.GetValue(distroOption); var limit = parseResult.GetValue(limitOption); var output = ParseOutputFormat(parseResult.GetValue(outputOption)); var verbose = parseResult.GetValue(verboseOption); return await HandleSymbolsSearchAsync(services, package, distro, limit, output, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } #endregion #region Pairs Subcommand private static Command BuildPairsCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var pairs = new Command("pairs", "Manage security pairs in the corpus."); pairs.Add(BuildPairsCreateCommand(services, verboseOption, cancellationToken)); pairs.Add(BuildPairsListCommand(services, verboseOption, cancellationToken)); pairs.Add(BuildPairsDeleteCommand(services, verboseOption, cancellationToken)); return pairs; } private static Command BuildPairsCreateCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var cveOption = new Option("--cve") { Description = "CVE identifier" }.Required(); var vulnPkgOption = new Option("--vuln-pkg") { Description = "Vulnerable package (name=version)" }.Required(); var patchPkgOption = new Option("--patch-pkg") { Description = "Patched package (name=version)" }.Required(); var distroOption = new Option("--distro") { Description = "Distribution (e.g., debian-bookworm)" }; var command = new Command("create", "Create a new security pair."); command.Add(cveOption); command.Add(vulnPkgOption); command.Add(patchPkgOption); command.Add(distroOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var cve = parseResult.GetValue(cveOption); var vulnPkg = parseResult.GetValue(vulnPkgOption); var patchPkg = parseResult.GetValue(patchPkgOption); var distro = parseResult.GetValue(distroOption); var verbose = parseResult.GetValue(verboseOption); return await HandlePairsCreateAsync(services, cve!, vulnPkg!, patchPkg!, distro, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildPairsListCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var cveOption = new Option("--cve") { Description = "Filter by CVE (supports wildcards like CVE-2024-*)" }; var packageOption = new Option("--package", new[] { "-p" }) { Description = "Filter by package name" }; var limitOption = new Option("--limit", new[] { "-l" }) { Description = "Maximum results to return" }.SetDefaultValue(50); var outputOption = BuildOutputOption(); var command = new Command("list", "List security pairs in the corpus."); command.Add(cveOption); command.Add(packageOption); command.Add(limitOption); command.Add(outputOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var cve = parseResult.GetValue(cveOption); var package = parseResult.GetValue(packageOption); var limit = parseResult.GetValue(limitOption); var output = ParseOutputFormat(parseResult.GetValue(outputOption)); var verbose = parseResult.GetValue(verboseOption); return await HandlePairsListAsync(services, cve, package, limit, output, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildPairsDeleteCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var pairIdArg = new Argument("pair-id") { Description = "The pair ID to delete" }; var forceOption = new Option("--force", new[] { "-f" }) { Description = "Skip confirmation prompt" }; var command = new Command("delete", "Delete a security pair from the corpus."); command.Add(pairIdArg); command.Add(forceOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var pairId = parseResult.GetValue(pairIdArg); var force = parseResult.GetValue(forceOption); var verbose = parseResult.GetValue(verboseOption); return await HandlePairsDeleteAsync(services, pairId!, force, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } #endregion #region Validate Subcommand private static Command BuildValidateCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var validate = new Command("validate", "Run validation and view metrics."); validate.Add(BuildValidateRunCommand(services, verboseOption, cancellationToken)); validate.Add(BuildValidateMetricsCommand(services, verboseOption, cancellationToken)); validate.Add(BuildValidateExportCommand(services, verboseOption, cancellationToken)); validate.Add(BuildValidateCheckCommand(services, verboseOption, cancellationToken)); return validate; } private static Command BuildValidateCheckCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var resultsOption = new Option("--results", ["-r"]) { Description = "Path to the validation results JSON file" }.Required(); var baselineOption = new Option("--baseline", ["-b"]) { Description = "Path to the KPI baseline JSON file" }.Required(); var precisionThresholdOption = new Option("--precision-threshold") { Description = "Maximum allowed precision drop (default: 0.01 = 1pp)" }; var recallThresholdOption = new Option("--recall-threshold") { Description = "Maximum allowed recall drop (default: 0.01 = 1pp)" }; var fnRateThresholdOption = new Option("--fn-rate-threshold") { Description = "Maximum allowed false negative rate increase (default: 0.01 = 1pp)" }; var determinismThresholdOption = new Option("--determinism-threshold") { Description = "Minimum required deterministic replay rate (default: 1.0 = 100%)" }; var ttfrpThresholdOption = new Option("--ttfrp-threshold") { Description = "Maximum TTFRP p95 increase ratio (default: 0.20 = 20%)" }; var outputOption = new Option("--output", ["-o"]) { Description = "Output path for regression report" }; var formatOption = new Option("--format", ["-f"]) { Description = "Report format (markdown, json)" }.SetDefaultValue("markdown"); var command = new Command("check", "Check for KPI regressions against baseline.") { resultsOption, baselineOption, precisionThresholdOption, recallThresholdOption, fnRateThresholdOption, determinismThresholdOption, ttfrpThresholdOption, outputOption, formatOption, verboseOption }; command.SetAction(async (parseResult, ct) => { var results = parseResult.GetValue(resultsOption) ?? ""; var baseline = parseResult.GetValue(baselineOption) ?? ""; var precisionThreshold = parseResult.GetValue(precisionThresholdOption); var recallThreshold = parseResult.GetValue(recallThresholdOption); var fnRateThreshold = parseResult.GetValue(fnRateThresholdOption); var determinismThreshold = parseResult.GetValue(determinismThresholdOption); var ttfrpThreshold = parseResult.GetValue(ttfrpThresholdOption); var output = parseResult.GetValue(outputOption); var format = parseResult.GetValue(formatOption) ?? "markdown"; var verbose = parseResult.GetValue(verboseOption); return await HandleValidateCheckAsync( services, results, baseline, precisionThreshold, recallThreshold, fnRateThreshold, determinismThreshold, ttfrpThreshold, output, format, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static async Task HandleValidateCheckAsync( IServiceProvider services, string resultsPath, string baselinePath, double? precisionThreshold, double? recallThreshold, double? fnRateThreshold, double? determinismThreshold, double? ttfrpThreshold, string? outputPath, string format, bool verbose, CancellationToken ct) { var loggerFactory = services.GetService(); var logger = loggerFactory?.CreateLogger(typeof(GroundTruthCommandGroup)); try { Console.WriteLine("KPI Regression Check"); Console.WriteLine("===================="); Console.WriteLine(); Console.WriteLine($"Results: {resultsPath}"); Console.WriteLine($"Baseline: {baselinePath}"); Console.WriteLine(); // Get regression service var regressionService = services.GetService(); if (regressionService is null) { Console.Error.WriteLine("Error: KPI regression service is not configured."); Console.Error.WriteLine("Ensure AddKpiRegressionGates() is called in service registration."); return 2; } // Load baseline Console.Write("Loading baseline... "); var baseline = await regressionService.LoadBaselineAsync(baselinePath, ct); if (baseline is null) { Console.WriteLine("FAILED"); Console.Error.WriteLine($"Error: Could not load baseline from: {baselinePath}"); return 2; } Console.WriteLine("OK"); // Load results Console.Write("Loading results... "); var results = await regressionService.LoadResultsAsync(resultsPath, ct); if (results is null) { Console.WriteLine("FAILED"); Console.Error.WriteLine($"Error: Could not load results from: {resultsPath}"); return 2; } Console.WriteLine("OK"); Console.WriteLine(); // Build thresholds var thresholds = new RegressionThresholds { PrecisionThreshold = precisionThreshold ?? 0.01, RecallThreshold = recallThreshold ?? 0.01, FalseNegativeRateThreshold = fnRateThreshold ?? 0.01, DeterminismThreshold = determinismThreshold ?? 1.0, TtfrpIncreaseThreshold = ttfrpThreshold ?? 0.20 }; if (verbose) { Console.WriteLine("Thresholds:"); Console.WriteLine($" Precision drop: {thresholds.PrecisionThreshold:P1}"); Console.WriteLine($" Recall drop: {thresholds.RecallThreshold:P1}"); Console.WriteLine($" FN rate increase: {thresholds.FalseNegativeRateThreshold:P1}"); Console.WriteLine($" Determinism min: {thresholds.DeterminismThreshold:P1}"); Console.WriteLine($" TTFRP increase: {thresholds.TtfrpIncreaseThreshold:P1}"); Console.WriteLine(); } // Check regression Console.WriteLine("Checking regression gates..."); Console.WriteLine(); var checkResult = regressionService.CheckRegression(results, baseline, thresholds); // Display results Console.WriteLine("Gate Results:"); Console.WriteLine("-------------"); foreach (var gate in checkResult.Gates) { var icon = gate.Status switch { GateStatus.Pass => "\u2705", GateStatus.Fail => "\u274C", GateStatus.Warn => "\u26A0\uFE0F", GateStatus.Skip => "\u23ED", _ => "?" }; Console.WriteLine($" {icon} {gate.GateName,-25} {gate.Message}"); } Console.WriteLine(); // Overall result if (checkResult.Passed) { Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine(checkResult.Summary); Console.ResetColor(); } else { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine(checkResult.Summary); Console.ResetColor(); } // Write report if requested if (!string.IsNullOrEmpty(outputPath)) { var report = format.ToLowerInvariant() == "json" ? regressionService.GenerateJsonReport(checkResult) : regressionService.GenerateMarkdownReport(checkResult); await File.WriteAllTextAsync(outputPath, report, ct); Console.WriteLine(); Console.WriteLine($"Report written to: {outputPath}"); } return checkResult.ExitCode; } catch (OperationCanceledException) { Console.WriteLine(); Console.WriteLine("Check cancelled."); return 130; } catch (Exception ex) { logger?.LogError(ex, "Regression check failed"); Console.Error.WriteLine($"Error: {ex.Message}"); return 2; } } private static Command BuildValidateRunCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var pairsOption = new Option("--pairs", new[] { "-p" }) { Description = "Pair filter pattern (e.g., openssl:CVE-2024-*)" }; var matcherOption = new Option("--matcher", new[] { "-m" }) { Description = "Matcher type (semantic-diffing, hash-based, hybrid)" }.SetDefaultValue("semantic-diffing"); var outputOption = new Option("--output", new[] { "-o" }) { Description = "Output file for validation report" }; var parallelOption = new Option("--parallel") { Description = "Maximum parallel validations" }.SetDefaultValue(4); var command = new Command("run", "Run validation on security pairs."); command.Add(pairsOption); command.Add(matcherOption); command.Add(outputOption); command.Add(parallelOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var pairs = parseResult.GetValue(pairsOption); var matcher = parseResult.GetValue(matcherOption); var output = parseResult.GetValue(outputOption); var parallel = parseResult.GetValue(parallelOption); var verbose = parseResult.GetValue(verboseOption); return await HandleValidateRunAsync(services, pairs, matcher!, output, parallel, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildValidateMetricsCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var runIdOption = new Option("--run-id", new[] { "-r" }) { Description = "Validation run ID" }.Required(); var outputOption = BuildOutputOption(); var command = new Command("metrics", "View metrics for a validation run."); command.Add(runIdOption); command.Add(outputOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var runId = parseResult.GetValue(runIdOption); var output = ParseOutputFormat(parseResult.GetValue(outputOption)); var verbose = parseResult.GetValue(verboseOption); return await HandleValidateMetricsAsync(services, runId!, output, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } private static Command BuildValidateExportCommand( IServiceProvider services, Option verboseOption, CancellationToken cancellationToken) { var runIdOption = new Option("--run-id", new[] { "-r" }) { Description = "Validation run ID" }.Required(); var formatOption = new Option("--format", new[] { "-f" }) { Description = "Export format (markdown, html, json)" }.SetDefaultValue("markdown"); var outputOption = new Option("--output", new[] { "-o" }) { Description = "Output file path" }.Required(); var command = new Command("export", "Export validation report."); command.Add(runIdOption); command.Add(formatOption); command.Add(outputOption); command.Add(verboseOption); command.SetAction(async (parseResult, ct) => { var runId = parseResult.GetValue(runIdOption); var format = parseResult.GetValue(formatOption); var output = parseResult.GetValue(outputOption); var verbose = parseResult.GetValue(verboseOption); return await HandleValidateExportAsync(services, runId!, format!, output!, verbose, ct == CancellationToken.None ? cancellationToken : ct); }); return command; } #endregion #region Handler Implementations private static async Task HandleSourcesListAsync( IServiceProvider services, GroundTruthOutputFormat format, bool verbose, CancellationToken ct) { Console.WriteLine("Listing symbol source connectors..."); // TODO: Integrate with actual connector registry var sources = new[] { new { Id = "debuginfod-fedora", DisplayName = "Fedora Debuginfod", Status = "Enabled", LastSync = "2026-01-22T10:00:00Z" }, new { Id = "debuginfod-ubuntu", DisplayName = "Ubuntu Debuginfod", Status = "Enabled", LastSync = "2026-01-22T10:00:00Z" }, new { Id = "ddeb-ubuntu", DisplayName = "Ubuntu ddebs", Status = "Enabled", LastSync = "2026-01-22T09:30:00Z" }, new { Id = "buildinfo-debian", DisplayName = "Debian Buildinfo", Status = "Enabled", LastSync = "2026-01-22T08:00:00Z" }, new { Id = "secdb-alpine", DisplayName = "Alpine SecDB", Status = "Enabled", LastSync = "2026-01-22T06:00:00Z" } }; if (format == GroundTruthOutputFormat.Json) { Console.WriteLine(JsonSerializer.Serialize(sources, JsonOptions)); } else { Console.WriteLine(); Console.WriteLine($"{"ID",-25} {"Display Name",-25} {"Status",-12} {"Last Sync",-25}"); Console.WriteLine(new string('-', 90)); foreach (var s in sources) { Console.WriteLine($"{s.Id,-25} {s.DisplayName,-25} {s.Status,-12} {s.LastSync,-25}"); } } return await Task.FromResult(0); } private static async Task HandleSourcesEnableAsync( IServiceProvider services, string source, bool verbose, CancellationToken ct) { Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine($"Enabled source connector: {source}"); Console.ResetColor(); return await Task.FromResult(0); } private static async Task HandleSourcesDisableAsync( IServiceProvider services, string source, bool verbose, CancellationToken ct) { Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine($"Warning: Disabled source connector: {source}"); Console.ResetColor(); return await Task.FromResult(0); } private static async Task HandleSourcesSyncAsync( IServiceProvider services, string? source, bool full, bool verbose, CancellationToken ct) { var syncType = full ? "full" : "incremental"; var target = source ?? "all sources"; Console.WriteLine($"Starting {syncType} sync for {target}..."); // TODO: Integrate with actual sync service // Simulate progress for (int i = 0; i <= 100; i += 10) { Console.Write($"\rSyncing: {i}%"); await Task.Delay(50, ct); } Console.WriteLine(); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Sync completed successfully."); Console.ResetColor(); return 0; } private static async Task HandleSymbolsLookupAsync( IServiceProvider services, string debugId, GroundTruthOutputFormat format, bool verbose, CancellationToken ct) { Console.WriteLine($"Looking up symbols for debug ID: {debugId}"); // TODO: Integrate with actual symbol lookup service var result = new { DebugId = debugId, BinaryName = "libcrypto.so.3", Architecture = "x86_64", Distro = "debian-bookworm", Package = "openssl", Version = "3.0.11-1", SymbolCount = 4523, Sources = new[] { "debuginfod-fedora", "buildinfo-debian" } }; if (format == GroundTruthOutputFormat.Json) { Console.WriteLine(JsonSerializer.Serialize(result, JsonOptions)); } else { Console.WriteLine(); Console.WriteLine($"Binary: {result.BinaryName}"); Console.WriteLine($"Architecture: {result.Architecture}"); Console.WriteLine($"Distribution: {result.Distro}"); Console.WriteLine($"Package: {result.Package}@{result.Version}"); Console.WriteLine($"Symbol Count: {result.SymbolCount}"); Console.WriteLine($"Sources: {string.Join(", ", result.Sources)}"); } return await Task.FromResult(0); } private static async Task HandleSymbolsSearchAsync( IServiceProvider services, string? package, string? distro, int limit, GroundTruthOutputFormat format, bool verbose, CancellationToken ct) { Console.WriteLine($"Searching symbols (package={package ?? "any"}, distro={distro ?? "any"}, limit={limit})"); // TODO: Integrate with actual search service Console.WriteLine("Search completed. Found 0 results."); return await Task.FromResult(0); } private static async Task HandlePairsCreateAsync( IServiceProvider services, string cve, string vulnPkg, string patchPkg, string? distro, bool verbose, CancellationToken ct) { Console.WriteLine($"Creating security pair for {cve}"); Console.WriteLine($" Vulnerable: {vulnPkg}"); Console.WriteLine($" Patched: {patchPkg}"); if (distro is not null) Console.WriteLine($" Distribution: {distro}"); var pairId = $"pair-{Guid.NewGuid():N}"[..16]; Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine($"Created security pair: {pairId}"); Console.ResetColor(); return await Task.FromResult(0); } private static async Task HandlePairsListAsync( IServiceProvider services, string? cve, string? package, int limit, GroundTruthOutputFormat format, bool verbose, CancellationToken ct) { Console.WriteLine($"Listing security pairs (cve={cve ?? "any"}, package={package ?? "any"}, limit={limit})"); // TODO: Integrate with actual pairs service var pairs = new[] { new { PairId = "pair-001", CVE = "CVE-2024-1234", Package = "openssl", VulnVer = "3.0.10-1", PatchVer = "3.0.11-1" }, new { PairId = "pair-002", CVE = "CVE-2024-5678", Package = "curl", VulnVer = "8.4.0-1", PatchVer = "8.5.0-1" } }; if (format == GroundTruthOutputFormat.Json) { Console.WriteLine(JsonSerializer.Serialize(pairs, JsonOptions)); } else { Console.WriteLine(); Console.WriteLine($"{"Pair ID",-12} {"CVE",-18} {"Package",-12} {"Vuln Version",-15} {"Patch Version",-15}"); Console.WriteLine(new string('-', 75)); foreach (var p in pairs) { Console.WriteLine($"{p.PairId,-12} {p.CVE,-18} {p.Package,-12} {p.VulnVer,-15} {p.PatchVer,-15}"); } } return await Task.FromResult(0); } private static async Task HandlePairsDeleteAsync( IServiceProvider services, string pairId, bool force, bool verbose, CancellationToken ct) { if (!force) { Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine($"Are you sure you want to delete pair {pairId}? Use --force to confirm."); Console.ResetColor(); return 1; } Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine($"Deleted security pair: {pairId}"); Console.ResetColor(); return await Task.FromResult(0); } private static async Task HandleValidateRunAsync( IServiceProvider services, string? pairs, string matcher, string? output, int parallel, bool verbose, CancellationToken ct) { Console.WriteLine($"Starting validation run (pairs={pairs ?? "all"}, matcher={matcher}, parallel={parallel})"); // Simulate validation progress for (int i = 0; i <= 10; i++) { Console.Write($"\rValidating pairs: {i}/10"); await Task.Delay(100, ct); } Console.WriteLine(); var runId = $"vr-{DateTimeOffset.UtcNow:yyyyMMddHHmmss}"; Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine($"Validation complete. Run ID: {runId}"); Console.ResetColor(); Console.WriteLine($" Function Match Rate: 94.2%"); Console.WriteLine($" False-Negative Rate: 2.1%"); Console.WriteLine($" SBOM Hash Stability: 3/3"); if (output is not null) { await File.WriteAllTextAsync(output, $"# Validation Report\nRun ID: {runId}\n", ct); Console.WriteLine($"Report written to: {output}"); } return 0; } private static async Task HandleValidateMetricsAsync( IServiceProvider services, string runId, GroundTruthOutputFormat format, bool verbose, CancellationToken ct) { Console.WriteLine($"Fetching metrics for run: {runId}"); var metrics = new { RunId = runId, StartedAt = "2026-01-22T10:00:00Z", CompletedAt = "2026-01-22T10:15:32Z", TotalPairs = 50, SuccessfulPairs = 48, FunctionMatchRate = 94.2, FalseNegativeRate = 2.1, SbomHashStability = "3/3", VerifyTimeP50 = "423ms", VerifyTimeP95 = "1.2s" }; if (format == GroundTruthOutputFormat.Json) { Console.WriteLine(JsonSerializer.Serialize(metrics, JsonOptions)); } else { Console.WriteLine(); Console.WriteLine($"Run ID: {metrics.RunId}"); Console.WriteLine($"Duration: {metrics.StartedAt} - {metrics.CompletedAt}"); Console.WriteLine($"Pairs: {metrics.SuccessfulPairs}/{metrics.TotalPairs} successful"); Console.WriteLine($"Function Match Rate: {metrics.FunctionMatchRate}%"); Console.WriteLine($"False-Negative Rate: {metrics.FalseNegativeRate}%"); Console.WriteLine($"SBOM Hash Stability: {metrics.SbomHashStability}"); Console.WriteLine($"Verify Time (p50/p95): {metrics.VerifyTimeP50} / {metrics.VerifyTimeP95}"); } return await Task.FromResult(0); } private static async Task HandleValidateExportAsync( IServiceProvider services, string runId, string format, string output, bool verbose, CancellationToken ct) { Console.WriteLine($"Exporting validation report for run {runId} to {output} (format: {format})"); var content = format.ToLowerInvariant() switch { "markdown" or "md" => $"# Validation Report\n\nRun ID: {runId}\n\n## Summary\n\n| Metric | Value |\n|--------|-------|\n| Function Match Rate | 94.2% |\n| False-Negative Rate | 2.1% |\n", "html" => $"Validation Report

Validation Report

Run ID: {runId}

", "json" => JsonSerializer.Serialize(new { RunId = runId, FunctionMatchRate = 94.2, FalseNegativeRate = 2.1 }, JsonOptions), _ => throw new ArgumentException($"Unknown format: {format}") }; await File.WriteAllTextAsync(output, content, ct); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine($"Report exported to: {output}"); Console.ResetColor(); return 0; } #endregion #region Helpers private static Option BuildOutputOption() { var option = new Option("--output-format", new[] { "-O" }) { Description = "Output format (table, json)" }.SetDefaultValue("table"); return option; } private static GroundTruthOutputFormat ParseOutputFormat(string? format) { return format?.ToLowerInvariant() switch { "json" => GroundTruthOutputFormat.Json, _ => GroundTruthOutputFormat.Table }; } #endregion } ///

/// Output format for groundtruth commands. ///

public enum GroundTruthOutputFormat { Table, Json }